If a bad actor is identified or a workload is possibly compromised, you need to act fast. ThreatStryker can automatically block attackers, both internal and external, and can isolate tainted workloads to prevent further exploits and lateral spread.
ThreatStryker uses the Cyber Kill Chain to model the progress of potential attack, from Reconnaissance to Exfiltration, and assigns a risk measurement to attack events. ThreatStryker raises notifications, and can also perform automated actions once a suspected attack reaches a threshold in the Kill Chain.
The sources of identified bad network traffic can be automatically detected and firewalled, using the local networking tools (Kubernetes CNI, eBPF). ThreatStryker can block specific sources, external or internal, in order to neutralize an attack and prevent lateral spread.
ThreatStryker correlates network activity and on-host events (file and process integrity) to judge whether or not a host or container is tainted. ThreatStryker can then execute corresponding quarantine actions to isolate, terminate, or restart the workload.
Many attacks build up over a long period of time. An attacker may compromise one service or workload, and explore to find other targets. ThreatStryker archives suspicious behavior over long periods of time to build a picture of the increasing risk, and provide information for forensic investigation.
When protecting Kubernetes, ThreatStryker can automatically kill tainted pods. The Kubernetes deployment controller will then start fresh workloads from a known good state, meaning that any loss of capacity is minimized and services continue uninterrupted.